The increase of cyberattacks has led to the disruption of business processes; therefore, information security, business continuity, and risk management have become crucial.
Amongst others, the webinar covers:
• Main changes in the ISO 27002:2022
• Business Continuity’s Role in Cybersecurity and Vice Versa
• Cyber Security vs Information Security
• Value of a Business Continuity Management System
• Advantages of Business Continuity
• Principles of Risk Management
Presenters:
Rinske Geerlings
Rinske is an internationally known consultant, speaker and certified Business Continuity, Information Security & Risk Management trainer.
She was awarded Alumnus of the Year 2012 of Delft University, Australian Business Woman of the Year 2010-13 by BPW, Risk Consultant of the Year 2017 (RMIA/Australasia) and Outstanding Security Consultant 2019 Finalist (OSPAs)
Rinske has consulted to the Department of Prime Minister & Cabinet, 15 Central Banks, APEC, BBC, Shell, Fuji Xerox, NIB Health Funds, ASIC, Departments of Defense, Immigration, Health, Industry, Education, Foreign Affairs and 100s of other public and private organizations across 5 continents.
She has been changing the way organizations ‘plan for the unexpected’. Her facilitation skills enable organizations to achieve their own results and simplify their processes. She applies a fresh, energetic, fun, practical, easy-to-apply, innovative approach to BCM, Security, and Risk.
Michael Kamau Kiiru
Michael Kamau Kiiru is an experienced Risk Manager and Trainer specializing in Enterprise risk management and Business Continuity Management. He has a wide knowledge of training, implementation, maintenance, and continual improvement of business management frameworks across various industries in his career of 7 years.
He is currently a senior consultant at Sentinel Africa where he leads projects in risk management and business continuity management across Africa.
He is a certified ISO 31000 Lead Risk Manager, ISO 22301 Business Continuity Lead Implementer, ISO 9001 Quality Management System Lead implementer, and ISO 27032 Provisional Cybersecurity Manager.
Betty A. Kildow, FBCI, CBCP
Betty specializes in Business Continuity and Supply Chain Continuity Consulting for over twenty years, working with a wide-ranging variety of businesses and organizations. She is a PECB ISO-22301 Master, ISO-28000 Lead Implementer and Lead Auditor, and Certified Trainer, as well as a Certified Business Continuity Professional (CBCP) and a Fellow of the Business Continuity Institute (FBCI). Betty is a frequent conference speaker, a skilled trainer, and has written articles that have appeared in professional publications in North America, Europe, and Asia.
Date: April 20, 2022
YouTube video: https://youtu.be/i-Kd6IAB79M
2. Kildow Consulting
Business continuity and supply chain management consultant, advisor, trainer,
speaker, author
More than 25 years partnering with widely diverse businesses and organizations to
develop and maintain continuity and resilience
Fellow of the Business Continuity Institute (FBCI) 2002
Certified Business Continuity Professional (CBCP), DRII 1998
ISO 22301 Master
ISO 28000 Lead Implementer/Lead Auditor
Conduct ISO-28000 and ISO-22301 internal audits and reviews
PECB Certified Trainer
Author, A Supply Chain Management Guide to Business Continuity, 2011; in
Japanese「事業継続」のためのサプライチェーン・マネジメント
Betty A. Kildow
3. Kildow Consulting
• Founder & Principal Consultant @ Business As Usual (started 2006)
• MSc (Engineering) – TU Delft, the Netherlands - Honours
• 20+ years of consulting experience globally
• ISO 22301 Master – ISO 31000 Lead Risk Mgr – ISO 27001 Master
• CBCP, MBCI, ITIL Master, COBIT certified
• Regularly conducting ISO 27001 certification audits
• Consulted to 15 Central Banks and 100s of other Government
entities, SMEs and larger corporates across Australasia, Africa,
Europe and Latin America
Rinske Geerlings
Risk Consultant of the Year 2017 (RMIA)
Outstanding Security Consultant of the Year 2019 (OSPAs Finalist)
4. Kildow Consulting
• ISO 31000 Lead Risk Manager
• ISO 22301 Lead Implementer
• ISO 9001 Lead Implementer
• PECB Certified Trainer
• Worked with clients across industries to develop and review
their enterprise risk and business continuity management
frameworks.
Michael Kamau Kiiru
Senior Consultant at Sentinel Africa Consulting
Experienced risk manager and trainer specializing in enterprise
risk management, business continuity management
Photo
6. Kildow Consulting
What Is
Business
Continuity?
1,000,000 choices
• Timely, orderly continuation or rapid restoration
of delivery of the organization’s service or
product following a disruption of any magnitude.
• Includes strategies and plans developed from the
perspective of keeping the most critical functions
running while normal operations are restored.
• Capability of the organization to continue delivery
of products or services at acceptable predefined
levels following a disruptive incident. ISO 22301,
clause 3.3
7. Kildow Consulting
Here is Your First Quiz
What is the precise full official name of
ISO-22301 – with all correct punctuation?
8. Kildow Consulting
What is ISO 22301?
• Full name of the standard is: ISO 22301:2019 Societal security – Business continuity
management systems – Requirements.
• Billed as the world's first international standard for business continuity management
(BCM)
– Written by leading business continuity experts
– Provides the best framework for managing business continuity in an organization.
• An organization can become certified by an accredited certification body and will
therefore be able to prove its compliance to its customers, partners, owners and
other stakeholders.
• Any organization – large or small, for profit or non-profit, private or public can
implement the standard.
What is ISO 22301?
9. Kildow Consulting
ISO 22301 Standard
Specifies requirements for
BCMS management
Requirements (clauses) are
written using the imperative
verb “shall”
Integrate the PDCA (Plan, Do,
Check and Act) model
Auditable
Organization can obtain
certification against this
standard
10. Kildow Consulting
Why ISO-22301:2012 Had Me at Hello
Business Continuity Management System
– Includes the supply chain
– Requires top management involvement
– Globally accepted standard
– Sets requirements for a business continuity management
system
– Provides guidance on the implementation of a comprehensive
Business Continuity Program
– Provides solid evidence of business continuity competence
Published in May 2012 by the technical committee, ISO 22301:2012 is the first international standard
for management systems that help ensure business continuity. ISO 22301 is the premium standard
for business continuity, and certification demonstrates conformance to rigorous practices to prevent,
mitigate, respond to, and recover from disruptive incidents.
11. Kildow Consulting
Value of a
Business
Continuity
Management
System
Many stakeholders care about your business continuity capability;
some have a vested interest.
In extreme situations the success, even survival, of your
organization as it exists today may depend on its business
continuity capability.
The number of regulatory and legal requirements that include
having a business continuity program continue to increase in
number.
For public utilities there is an ethical requirement to protect the
interests of all customers.
Customers need and expect your products and services to be
available even when significant disruptions and disasters occur.
Developing, implementing, and maintaining a continuity program
that ensures the organization can continue operations even in the
face of disaster, thus avoiding damage to the company’s brand,
image, and reputation, and losses to the bottom line.
12. Kildow Consulting
Advantages of Business Continuity
Predictable and
effective
response to
crises
Protection of
people
Maintenance of
vital activities of
the organization
Better
understanding of
the organization
Mitigation of
Risks
Respect of the
interested
parties
Protection of the
reputation and
brand
Confidence of
clients
Competitive
advantage
Legal
compliance
Regulatory
compliance
Contract
compliance
13. Kildow Consulting
Definition: Establishment of policies and
continuous monitoring of their proper
implementation by members of the governing
body of an organization
• Adopt formal Business Continuity Policy
• Identify who has overall ownership
• Establish a central point of accountability,
oversight, and support
• Ensure proper monitoring to ensure
requirements are met - and follow-up as
necessary
• Assign roles and responsibilities
14. Kildow Consulting
Business Continuity’s Value
Beyond Business Continuity
• Gather information from across the
organization
• Gain an in-depth understanding of the big
picture
• Develop a greater understanding of
internal and external interdependencies
• Identify redundancies and opportunities for
efficiencies
15. Kildow Consulting
“You can't go
back and change
the beginning, but
you can start
where you are
and change the
ending.”
C.S.Lewis
COVID – Two Years and Counting
Global
Prolonged
Impacted people, facilities, equipment, suppliers,
technology, infrastructure
Required extraordinary levels of adaptability
What seemed impossible was made possible
Higher awareness of the need for business
continuity than ever before
Unparalleled lessons for needed improvements to
our Business Continuity Programs
16. Kildow Consulting
Requirements for Successful Business Continuity
Enterprise-wide integrated involvement
Total collaboration among all risk-
related business units
Fully addressing a wide range of
internal and external operational risks
Strategies and plans that are flexible,
scalable
17. Kildow Consulting
Internal Partnering
Strategy and plan
development
• Give ownership to the
implementers
• Train and empower
IT/DR
• Collaborative DR and
BC exercises and tests
• IT is also a business
unit
One small step for
business continuity-
kind; one giant step
for a successful BCMS
• Adopt a shared
glossary of business
continuity terms and
acronyms that is used
across the
organization
18. Kildow Consulting
• Business Continuity Plans need to outline how
each individual plan coordinates, collaborates, and
communicates with other plans:
– Corporate-level Business Continuity Plan
– Department / Division Business Continuity
Plans at all locations
– Business Continuity Plans for strategic,
tactical and operational levels
– Disaster Recovery Plan
– Emergency Response Plan
– Other risk-related plans
• A change in one will likely require changes in
others
19. Kildow Consulting
Business
Continuity’s
Role in
Cybersecurity
and Vice
Versa
• It is a fact that BC, DR and Cybersecurity
activities often occupy separate silos
• Those barriers need to come down
• Business continuity does not prevent nor lead
the charge to recover from cyber attacks
• Business Continuity’s role is to ensure that the
organization can still function in spite of any
disruption, including of cyber attacks
Collaboration is the key to success. There is strength and power
in coming together to find answers to current and future
common challenges.
20. Kildow Consulting
Executive
sponsorship,
involvement, and
commitment
Focus on sustaining
operations essential
to the delivery of
products and
services
Clearly defined
ownership and
responsibility
Full communication
of the program
enterprise wide
Full coordination
and integration of all
risk-related
programs
Regular reviews
and audits and
updates
Comprehensive
training, exercising
and testing
Integrated into
culture and
operations
ISO-22301
Essentials for
Ongoing
Business
Continuity
Success
25. Kildow Consulting
ISO 27001 – What is it?
ISO/IEC 27001 (usually shortened to
“ISO 27001”) is an Information
Security Management System standard
written jointly by the International
Organization for Standardization (ISO)
and the International Electrotechnical
Commission (EC). This standard lays
out universal best practices for creating
and maintaining an information security management system (ISMS).
It helps organizations protect the confidentiality, integrity, and availability (CIA) of their
information. These three elements form the basis good information security.
ISO 27001 helps protect information in any form, but cybersecurity—which protects digital
information—plays a major role.
30. Kildow Consulting
• A technical topic well explained in “laymen’s terms”
• Generic – 2013 version!
• Helpful as a starting point in order to measure/benchmark your IS maturity
• Good outline of Information Security controls (Annex A)
• Well aligned with other standards and guidelines (e.g. ISO 22301, ISO 31000, SOC2,
NIST etc)
• Various related guidelines for further support (e.g. ISO 27002 – IS controls, ISO 27032 -
Cyber Risk, ISO 27017 – Cloud services, ISO 27018 – Personally Identifiable Information
in public Clouds, ISO 28000 – Supply Chain Security)
• Note: ISO 27001 goes beyond electronic information security.
ISO 27001 - Will it break or make your process?
32. Kildow Consulting
ISO/IEC 27001 provides requirements for organizations that are seeking to establish,
implement, maintain, and continually improve an information security management system.
As such, organisations can get certified against it.
ISO/IEC 27002 is an international standard used as a reference for selecting and
implementing information security controls listed in Annex A of ISO/IEC 27001. It is used as
guidance on the best practices of information security management helping organisations in
selecting, implementing, and managing the controls of ISO/IEC 27001. Organisations
cannot get a certification against ISO/IEC 27002. It serves as supporting material in
implementing the requirements.
What is the difference between ISO/IEC 27001 & ISO/IEC 27002?
33. Kildow Consulting
Number of controls
The revised version of ISO/IEC 27002 published in 2022 decreases the number of
information security controls from 114 controls to 93 controls, covered in four sections:
• Organizational controls (clause 5)
• People controls (clause 6)
• Physical controls (clause 7)
• Technological controls (clause 8)
What are the main changes in ISO/IEC 27002:2022?
34. Kildow Consulting
New controls
The ISO/IEC 27002:2022 introduced 11 new controls, as stated in the following:
• 5.7 Threat intelligence
• 5.23 Information security for use of cloud services
• 5.30 ICT readiness for business continuity
• 7.4 Physical security monitoring
• 8.9 Configuration management
• 8.10 Information deletion
• 8.11 Data masking
• 8.12 Data leakage prevention
• 8.16 Monitoring activities
• 8.23 Web filtering
• 8.28 Secure coding
What are the main changes in ISO/IEC 27002:2022?
35. Kildow Consulting
Restructuring and merging of sections
• Despite the number of controls being reduced, no controls were excluded in the latest version
of the standard; however, they were merged.
• It is considered that based on the newest structure, the process of designation of
responsibilities and the applicability of controls will be easier.
How is ISO/IEC 27002:2022 impacting ISO/IEC 27001?
• There will be an amendment to ISO/IEC 27001:2013 (referred to as ISO/IEC
27001:2013+A1:2022).
• As such, the latest changes in ISO/IEC 27002:2022 will be reflected in Annex A of ISO/IEC
27001 with a normative version of the 93 new controls.
What are the main changes in ISO/IEC 27002:2022?
36. Kildow Consulting
Once the updated Annex A of ISO/IEC 27001 is published, you will need to update the
Statement of Applicability so it can be aligned with the new list of security controls.
Will the changes affect my organisation’s ISO/IEC 27001 certification?
• If you’re currently certified to ISO 27001:2013, you will need to make the transition to
ISO 27001:2022 before your first surveillance or recertification audit of 2023.
• Depending on the scope of your ISMS, you could be required to implement up to 11
new controls.
• Before your audit, those controls need to be put in place, enforced with policies and
procedures, and tested.
When should we start implementing the latest changes?
40. Kildow Consulting
Scope of ISO 31000
Provides principles, a framework and
process for managing risks.
It is easily adaptable to any business
regardless of sector or industry
It is applicable to any type of risk – Including
Information Security and Business
Continuity Risks
Aims to simplify risk management.
Not intended for certification
41. Kildow Consulting
What is Risk and Risk Management?
Risk management refers to a coordinated
set of activities and methods that is used
to direct an organization and to control the
many risks that can affect its ability to
achieve objectives
According to ISO 31000, risk is the “effect
of uncertainty on objectives” and an effect is
a positive or negative deviation from what is
expected.
43. Kildow Consulting
Risk Management Framework
A risk management framework
provides the policies, procedures
and organizational arrangements
that will embed risk management
throughout the organization at all
levels.
The framework guides the
establishment of the risk process.
45. Kildow Consulting
Risk Assessment
Provides a structured process that identifies how objectives may
be affected and analyses the risk in terms of consequences and
their probabilities before deciding on whether further action is
required.
Risk Assessment attempts to answer the following fundamental
questions:
What can happen and why? (By risk identification)
What are the consequences?
What is the probability of their future occurrence?
Are there any factors that mitigate the consequence or
probability of the risk
Is the level of risk tolerable or acceptable and does it require
further action
46. Kildow Consulting
Benefits of Effective Risk Management
Organisations exhibiting mature risk
management practices outperform their
peers financially
Enhanced compliance to legal and
contractual obligations
Provides better quality data for decision
making
Provides a roadmap for prioritizing actions
Business Process Improvement
Enhances communication and
collaboration within an organisation
47. Kildow Consulting
Considerations To Make
What are our risk management objectives: What are we hoping to achieve with the
implementation of a risk framework based on ISO 31000
Who is doing what: Roles and responsibilities should be clearly defined. Leadership must
support Risk Management. Everyone is a risk manager (In their roles, not necessarily in
title)
How will it be implemented: Document a process tailored for the organisation.
When will it be implemented: Risk management is a journey, not a destination. Risks
should be continually assessed and mitigation strategies re-considered. Change is
inevitable. Recognise new risks and opportunities.
48. Kildow Consulting
Continuous Improvement
This is a process of increasing the effectiveness
and efficiency of the organisation to fulfil its
policy and objectives
Taking consistent steps forward
50. Discussion Question
I understand how these three standards can be of value to my
company. We have not yet implemented any of these standards.
Where should we start?
51. Kildow Consulting
About ISO Standards
ISO is a network of national
standardization bodies from over
160 countries
There are more than 788
technical bodies for standard
development
The final results of ISO works
are published as international
standards
More than 21,000 standards
have been published since 1947
52. Facts
• We have choices
• All three standards have merit and value
• We can have basic knowledge and an understanding of all
three
• It is difficult to fully be a subject matter expert in everything
• An organization can be certified in multiple ISO standards
• But where to start?
53. Considerations
• Which of the three has greatest value to the organization and
its stakeholders today? In the future?
• Which aligns with the organization’s vision, mission, policies?
• Not the latest trend, one that it is the latest hot topic, or was a perfect
for another organization
• Is there a standard that is preferred or recommended by your
business sector, industry, or profession?
54. Making the Best Selection
• What other standards does your organization use?
• Have you read and understand the standard(s) you are considering?
• Which standard addresses the company’s current greatest risks?
• Which standard has buy-in from interested parties – including
executive management, business partners, regulatory agencies, etc.?
• Do a great many of your customers use, prefer, or require a specific
standard?
• Is there a standard that is more widely used in your industry?
• Are all the right people involved in the selection process?
56. Kildow Consulting
• Combine workshops where you can
• Create a ‘cross-walk’ of any standards and show the Sections in other standards that
cover the same/similar topics e.g. ISI 27001, NIST,
Key points to prevent ‘standards fatigue’